Device for limiting fraud in an integrated circuit card

ABSTRACT

An integrated circuit device has a memory area that includes a data memory. The data memory has a counter element and an indicator element. The counter element counts at least one number of occurrences of events within the device. When the counter element reaches a threshold value, which is indicative of a large maximum number of occurrences of the events, the indicator element goes from a first state to a second state.

FIELD

The present invention relates to an integrated circuit device having amemory area comprising a data memory.

BACKGROUND

Such integrated circuit devices are widely used in applications whereinformation processing security is essential. In particular, these areintegrated circuit cards including applications relating to the fieldsof health, mobile telephony, or also banking applications.

An integrated circuit card is composed of a plastic card body whichincorporates an electronic unit. This card communicates with a terminal,for example a mobile telephone, a banking terminal or also a computer,through a communications network and is able to send messages containingencrypted information to said terminal through the network so as to makeinformation transfers secure. In everyday language, the message is saidto be signed. For computing encrypted information, the card employs asecret coding key which is located within the data memory of its memoryarea and an encryption algorithm.

Although information transfers are thus made secure, an integratedcircuit card remains vulnerable since a forger could perform manyactions on the card which would allow him or her to uncover its secrets.Thus, said forger, wishing to find the coding key, could for examplesend a signature instruction message to the card and keep a record ofthe signals generated when executing said instruction. Thereafter, he orshe could send a large number of signature instructions for the samemessage, expose the card to electromagnetic perturbations at specifictime points during the progress of said algorithm and keep records ofthe various emitted signals. By matching records of signals obtainedduring perturbations with the first record, forgers can analyzedifferences or the absence of differences between the various obtainedencrypted pieces of information in order to uncover a cod key portion.Thus, in spite of the secure information transfer performed by the card,forgers can still access confidential information by performing a verylarge number of actions on the integrated circuit card.

Thus, a technical problem to be solved by the present invention is toprovide an integrated circuit device having a memory area comprising adata memory, which device would allow the card to become more secure byrestricting the number of forgery actions that can be performed on thecard.

SUMMARY

According to the present invention, a solution to the technical problemposed is such that the data memory contains at least one counterelement, and at least one threshold value, which counter element, on theone hand, counts at least one number of event occurrences within saiddevice, and, on the other hand, is likely to reach said threshold valuewhich is indicative of a large maximum number of occurrences of saidevents, wherein the data memory comprises at least two indicatorelements residing at non-contiguous locations within the data memory,said indicator elements being associated with said counter clement andsaid indicator element being designed to go from a first state to asecond state when said counter element has reached said threshold value.

Thus, as explained in detail below, the device according to theinvention enables to restrict the number of possible actions or eventsperformed on said integrated circuit card, on the one hand, by means ofa counter element which will count the number of actions performedtaking into account an action or a group of actions, and, on the otherhand, by means of an indicator element which will indicate that thethreshold value of the event or action occurrence number has beenreached, so that afterwards, a sanction can be applied the next timesaid threshold value is exceeded.

Other features and advantages of the invention will become apparent inthe following description of preferred embodiments of the presentinvention, provided by way of non-limiting examples, in reference to theappended figures.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic diagram of an integrated circuit device accordingto the invention, here an integrated circuit card.

FIG. 2 is a schematic diagram showing a memory area in the card of FIG.1 according to the invention.

FIG. 3 is a schematic diagram showing the distribution of counter andindicator elements within the memory area of FIG. 2.

FIG. 4 is a schematic diagram showing another the distribution ofcounter and indicator elements within the memory area of FIG. 2.

FIG. 5 is a schematic diagram of another embodiment of the invention,wherein the memory area of FIG. 2 has two identical indicator elements.

DETAILED DESCRIPTION OF THE INVENTION

FIG. 1 shows an integrated device 10 which, in the disclosed embodiment,is an integrated circuit card.

Card 10 has a control unit 11 (such as a central processor unit or CPU),a memory area 12 having a data memory 14 and a contact block 13, forelectrical connection, for instance to a card-reader connector.

Memory area 12 is shown in FIG. 2. It has a counter element CPT, athreshold value VS, and an indicator element I as well as disablingmeans Mb, said indicator element being designed for going from a firststate e1 to a second state e2 when the counter element has reached saidthreshold value. While the card is being used, several events can occur,an event being an action which occurs within said device and leads tosome result, for which a mean occurrence number can be determined whilethe device is being used. Thus, for example, a power-on is an event inresponse to which the card will send a message, often called “thereply-to-reset message”. The sending of a signed message is also anevent.

While a card is being used, for a particular application, the meannumber of events that can occur, for example of the type “send signedmessage”, can be determined. Thus, for banking applications, over atwo-year period which is typical of a credit card's life span, therewill be an average of three hundred signed messages for a card belongingto a user who employs the card about three times a week, and six hundredfor a user who uses it about five times a week.

In FIG. 2, a counter element CPT counts at least one number of eventoccurrences in the card, for example the signed message occurrencenumber. The counter element may reach the threshold value VS, which isindicative of a large maximum number of occurrences of said events. Inthe case when the integrated circuit card comprises a read only memory(ROM), an erasable and programmable read only memory (EPROM) and anelectrically erasable programmable read only memory (EEPROM), thethreshold value VS, since it is fixed, can reside within one of thethree memories, wherein said memories, according to the presentdisclosure, are a data memory, whereas the counter and indicatorelements will reside within a PROM, since their value can vary.

According to the invention, the threshold value represents an unlikelynumber of occurrences of such events which occur within said device whennormally used. In order to detect fraudulent usage of the device, thismaximum number of event occurrences is chosen to be large since itrepresents the number of unlikely event occurrences, and therefore, thislarge maximum number of event occurrences is greater than about onehundred, and preferably, greater than about one thousand. With suchvalues, different events in different applications can be taken intoaccount. In the aforementioned example, it is known that it is unlikelythat two thousand signed message occurrences will occur between the cardand a banking terminal. Therefore, in this case, the threshold valuewill be set to two thousand. If such a case occurs, it is very likelycaused by a forger attempting to uncover secrets stored within the card.

Therefore, to prevent forgery, when element CPT has reached thresholdvalue VS, indicator element I goes from a first state e1 to a secondstate e2, which is also referred to as element I going from a passivestate to an active state, and memory area 12 in the device according tothe invention further includes means Mb for disabling the operation ofsaid device when an indicator element has gone to the second state e2.Thus, if two thousand occurrences of signed messages have been reached,an element I is enabled and the disabling means Mb, after having checkedthe state of said element I, disables the card, which can no longereither receive or generate any event of the same nature as the one thathas enabled the indicator element, which event, in the present case, isa signed message type of event, or receive any event or take any actionwhatsoever. In the latter case, the card can no longer be used and isconventionally said to be silent.

According to a first embodiment of the device according to theinvention, a counter element is defined for a unique event.

Therefore, in FIG. 3, counter element CPT1 is defined for event El,element CPT2, for event E2 and element CPT3, for event E3.

However, although events can be of different nature, their occurrencenumbers during the life span of a card can be of the same order ofmagnitude and therefore their unlikely occurrence numbers can be thesame. As a consequence, it may be desired to classify them into the samecategory. For example, it may be assumed that sending signed messagesbelongs to the same category as sending encrypted messages. Thus,according to a second embodiment of the device according to theinvention, a counter element is defined for at least two events, whichevents belong to the same category. Thus, according to the schematicdiagram shown in FIG. 4, counter elements CPT1 and CPT2 are defined fortwo event categories (E1, E2, E3) and (E4, E5), respectively.

In both embodiments according to the invention, a threshold value isdefined for each counter element. Thus, Values VS1, VS2 and VS3 beingassociated with each respective event, such as in the case of FIG. 3, isequivalent to values VS1 and VS2 being associated with each respectivecategory of events, such as in FIG. 4. When a element CPT has reachedits threshold value VS, indicator elements indicate that the maximumallowed number of event occurrences represented by threshold value VShas been reached.

In both aforementioned embodiments, said indicator elements can beimplemented in two different ways.

According to a first variation shown in FIG. 3, in the device accordingto the invention, at least one indicator element I is defined for aunique counter element CPT. Thus, when counter element CPT1 reachesthreshold value VS1, indicator element I1 goes to the second state e12.The disabling means Mb checks the state of element I1 and as soon as thelatter has gone to the second state, it disables the card, which is alsothe case for elements I2 and I3.

According to a second variation of the embodiment shown in FIG. 4, inthe device according to the invention, at least one indicator element Iis defined for at least two counter elements CPT. Thus, when one ofelements CPT1 and CPT2 reaches its respective threshold value VS1 orVS2, element I1 goes from state ell to state e12, which indicates that aforgery has taken place and as a consequence, means Mb disables thecard.

Thus, according to both embodiments, and to both associated variations,the number of event occurrences within the card and therefore the numberof possible actions that can be performed on the card by a forger, arerestricted.

However, a forger could modify the state of an indicator element bymaking it passive if it was previously active, before means Mb candisable the card and therefore could freely continue penetrating cardsecrets.

Thus, the data memory 14 in the device according to the invention has atleast two identical indicator elements residing at non-contiguouslocations within the data memory, said elements being attached to thesame set of counter elements comprising one or more counters accordingto the variations mentioned above in reference to FIGS. 3 and 4. Asshown in FIG. 5, indicator element I'1 is the same as I1 since they areboth attached to elements CPT1 and CPT2 and both go from a first stateto a second state at the same time when either one of these two counterelements has reached its maximum value. Moreover, the indicator elementsreside within data memory 14 in the card at non-contiguous locations, soas to prevent forgery such as modifying the state of all activeidentical indicator elements, which forgery would be made easier by theelements residing at closely spaced locations. Thus, even if a forgermanages to modify the state of one element I by making it passive, otheridentical indicator elements will remain active because, in such a case,it will be unlikely for said forger to find the location of allidentical indicator elements.

On the other hand, in the device according to the invention, disablingmeans Mb disables the operation of said device when the state of oneindicator element is different from that of another identical indicatorelement. The forger's action can thus be countered.

It should be appreciated that in any case, the values of the firststates of indicator elements can be equivalent to, or different fromeach other. The is also true for the second state values.

Thus, with both embodiments and both variations of the indicatorelements, and due to the system using identical indicator elements, thedevice according to the invention allows the card to be made more secureby restricting the number of possible actions that can be performed onit by a forger.

What is claimed is:
 1. An integrated circuit device having a memory areacomprising a data memory having at least one counter element and havingat least one threshold value, wherein said counter element, on the onehand, counts at least one occurrence number of events occurring withinsaid device and, on the other hand, can reach said threshold value,which is indicative of a large maximum number of occurrences of saidevents, wherein the data memory comprises at least two indicatorelements residing at non-contiguous locations within the data memory,said indicator elements being associated with said counter element andbeing designed to go from a first state to a second state when saidcounter element has reached said threshold value.
 2. The deviceaccording to claim 1, wherein an event is an action occurring withinsaid device which leads to a result and whose mean number of occurrencesduring the lifetime of said device can be determined.
 3. The deviceaccording to claim 1, wherein said threshold value represents anunlikely number of occurrences of said events occurring within saiddevice during normal use of said device.
 4. The device according toclaim 1, wherein a threshold value is defined for each counter element.5. The device according to claim 1, wherein a counter element is definedfor a unique event.
 6. The device according to claim 1, wherein acounter element is defined for at least two events.
 7. The deviceaccording to claim 1, wherein said memory area comprises means fordisabling the operation of said device when an indicator element hasgone to the second state.
 8. The device according to claim 7, whereindisabling means disable the operation of said device when the state ofone indicator element is different from the state of another identicalindicator element.
 9. The device according to claim 1, wherein saidlarge maximum number of event occurrences is greater than about onehundred, and preferably, greater than about one thousand.